CN117728990A - Numerical control equipment safety interconnection method - Google Patents
Numerical control equipment safety interconnection method Download PDFInfo
- Publication number
- CN117728990A CN117728990A CN202311602478.7A CN202311602478A CN117728990A CN 117728990 A CN117728990 A CN 117728990A CN 202311602478 A CN202311602478 A CN 202311602478A CN 117728990 A CN117728990 A CN 117728990A
- Authority
- CN
- China
- Prior art keywords
- link
- numerical control
- control equipment
- application program
- adapter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000004044 response Effects 0.000 claims abstract description 27
- 230000003993 interaction Effects 0.000 claims abstract description 21
- 238000003860 storage Methods 0.000 claims abstract description 11
- 238000004891 communication Methods 0.000 abstract description 25
- 239000003795 chemical substances by application Substances 0.000 description 91
- 238000012545 processing Methods 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 13
- 238000004519 manufacturing process Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000004927 fusion Effects 0.000 description 6
- 230000015654 memory Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 238000011217 control strategy Methods 0.000 description 4
- 230000006978 adaptation Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002688 persistence Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000003053 immunization Effects 0.000 description 1
- 238000002649 immunization Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Numerical Control (AREA)
Abstract
The present disclosure provides a method for secure interconnection of numerical control equipment, the method comprising: responding to the received operation request of the user, and carrying out identity authentication and authority authentication on an application program corresponding to the operation request and the NC-Link adapter by utilizing the NC-Link agent; the NC-Link adapters are in one-to-one correspondence with the numerical control equipment; the interaction between the NC-Link agent and the NC-Link adapter and the interaction between the NC-Link agent and the application program are carried out through an industrial network security gateway; and executing the operation request in response to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter. According to the method and the device, the network layer of the numerical control system is packaged based on the numerical control equipment industrial interconnection communication protocol NC-Link, so that standard intermediation is provided for an application program to collect data of the numerical control equipment or for the application program to issue control instructions to the numerical control equipment, and the interconnection safety of the numerical control equipment is improved. The disclosure also provides a numerical control equipment safety interconnection device, equipment and a storage medium.
Description
Technical Field
The disclosure relates to the technical field of data communication, and more particularly to a numerical control equipment safety interconnection method.
Background
At present, the network of the numerical control system has evolved into a numerical control equipment interconnection system, and the continuous development of the two-way integration enables the original independent and closed numerical control production network to be connected into an enterprise management network and the Internet, and the network boundary expansion necessarily leads to the continuous occurrence of network attack events. The upgrade and maintenance of the numerical control equipment is seriously dependent on manufacturers and suppliers, many equipment is allowed to be controlled remotely through a network, the system lacks security mechanisms such as user identity authentication and access control, the upgrade and maintenance process of the equipment is uncontrollable, and huge security risks exist. The interconnection protocol of numerical control equipment is used at present, and the interconnection protocol becomes an essential product for data acquisition and transmission in the future. Although some security measures are prescribed in domestic NC-Link, the security design of NC-Link has yet to be enhanced in the military environment, as NC-Link has not yet been fully popular. Therefore, the security problem of the interconnection protocol of the numerical control equipment needs to be solved urgently.
Disclosure of Invention
In view of the above, the present disclosure provides a NC-Link numerical control equipment security interconnection method based on domestic passwords.
The present disclosure provides a method for secure interconnection of numerical control equipment, comprising: responding to the received operation request of the user, and carrying out identity authentication and authority authentication on an application program corresponding to the operation request and the NC-Link adapter by utilizing the NC-Link agent; the NC-Link adapters are in one-to-one correspondence with the numerical control equipment; the interaction between the NC-Link agent and the NC-Link adapter and the interaction between the NC-Link agent and the application program are carried out through an industrial network security gateway; and executing the operation request in response to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter.
According to an embodiment of the present disclosure, the NC-Link agent stores a registered numerical control equipment list and a registered application list; the registered numerical control equipment list at least comprises identity authentication information of numerical control equipment; the registered application program list at least comprises authority level information of the application; the NC-Link adapter stores authority level information of corresponding numerical control equipment and model files of the numerical control equipment.
According to an embodiment of the present disclosure, the identity authentication and the authority authentication are performed on the application program corresponding to the operation request and the NC-Link adapter by using the NC-Link agent, and before the steps further include: responding to the NC-Link adapter to register by using the main body identifier of the corresponding numerical control equipment, and storing the corresponding numerical control equipment into a registered numerical control equipment list; and in response to the registration of the application program by using the main body identifier of the equipment where the application program is located, storing the application program into a registered application program list.
According to an embodiment of the present disclosure, performing identity authentication includes: in response to receiving the identity authentication information of the NC-Link adapter, carrying out identity authentication on the NC-Link adapter by using a registered numerical control equipment list; the identity authentication information comprises a physical address and a serial number of the numerical control equipment; the NC-Link adapter converts the data format uploaded by the numerical control equipment into a unified NC-Link data format and transmits the unified NC-Link data format to the NC-Link agent; in response to receiving the identity authentication information of the application, the application is authenticated using the registered application list.
According to an embodiment of the present disclosure, performing rights authentication includes: responding to the operation request as an acquisition data request: transmitting the data to the NC-Link agent in response to the passing of the identity authentication of the NC-Link adapter uploading the data; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring authority level information of an application program receiving data; transmitting data stored by the NC-Link agent to the application program in response to the permission level of the corresponding numerical control equipment being lower than the permission level of the application program and the identity authentication of the application program passing; responding to the operation request as a control instruction request: transmitting a control instruction to the NC-Link agent in response to the passing of the identity authentication of the application program; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring authority level information of an application program receiving data; and transmitting the control instruction stored by the NC-Link agent to the NC-Link adapter in response to the permission level of the corresponding numerical control equipment being lower than the permission level of the application program and the identity authentication of the NC-Link adapter being passed.
According to an embodiment of the present disclosure, the control instruction stored in the NC-Link agent is transmitted to the NC-Link adapter, and then further includes: detecting whether a control instruction accords with a model file of numerical control equipment in the NC-Link adapter; if yes, executing a control instruction; if not, discarding the control instruction.
According to an embodiment of the present disclosure, an authentication header of the industrial network security gateway uses an SM3 algorithm, a key exchange protocol uses an SM2 algorithm, and data encryption uses an SM4 algorithm; the industrial network security gateway encrypts and decrypts the data interacted between the NC-Link agent and the NC-Link adapter and between the NC-Link agent and the application program.
A second aspect of the present disclosure provides a numerical control equipment safety interconnection apparatus configured to be used to implement the above-mentioned numerical control equipment safety interconnection method, including: the interconnection module is used for responding to the received operation request of the user and carrying out identity authentication and authority authentication on the application program corresponding to the operation request and the NC-Link adapter by utilizing the NC-Link agent; the NC-Link adapters are in one-to-one correspondence with the numerical control equipment; interaction between the NC-Link agent and the NC-Link adapter is performed through an industrial network security gateway; and the execution module is used for executing the operation request in response to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and the memory is used for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, enable the one or more processors to execute the numerical control equipment safety interconnection method.
A fourth aspect of the present disclosure also provides a computer readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described numerical control equipment security interconnection method.
According to the numerical control equipment safety interconnection method provided by the disclosure, the network layer (the core is an NC-Link adapter and an NC-Link agent) of the numerical control system is encapsulated based on the numerical control equipment industrial interconnection communication protocol NC-Link, so that the numerical control equipment of different intelligent processing units or production lines is connected. The NC-Link adapter, the NC-Link agent and the industrial network security gateway complete interaction between the numerical control equipment and the application program, so that standard intermediation is provided for the application program to collect data of the numerical control equipment or for the application program to issue control instructions to the numerical control equipment, the technical problem of security interconnection of the numerical control equipment is at least partially solved, and the technical effects of improving access security and data transmission security of the numerical control equipment terminal and increasing access control measures are achieved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a flow chart of a method of numerical control equipment safety interconnection in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates an NC-Link agent according to an embodiment of the disclosure;
FIG. 3 schematically illustrates an industrial network security gateway based on domestic cryptography in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a protection mode of an industrial network security gateway based on domestic cryptography according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates an NC-Link authentication procedure based on a domestic password in accordance with an embodiment of the disclosure;
FIG. 6 schematically illustrates an NC-Link authentication mode based on a domestic password in accordance with an embodiment of the disclosure;
FIG. 7 schematically illustrates security enhancements and adaptation routes for a numerical control system communication protocol in accordance with embodiments of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a numerical control equipment safety interconnect device in accordance with an embodiment of the present disclosure;
fig. 9 schematically illustrates a numerical control equipment industrial interconnection safety system according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
First, the technical terms referred to herein are described as follows:
NC-Link: the networking of the numerical control system makes the function of the numerical control network layer increasingly complex, and becomes a network data exchange system gradually, and the traditional communication encryption cannot meet the security of the network layer. In order to shield the variability of numerical control equipment, a unified data exchange standard or protocol is adopted at the network layer, and the network layer of the numerical control system is packaged based on the NC-Link (numerical control equipment industry interconnection communication protocol). NC-Link (numerical control equipment industry interconnection communication protocol) is a group standard formally promulgated by the chinese machine tool industry association. The NC-Link communication protocol standard comprises 5 standards including NC-Link general technical conditions, NC-Link machine tool model definition, NC-Link data item definition, NC-Link terminal and interface definition, NC-Link security and the like. The NC-Link standard considers the access safety of the terminal and the data transmission safety, and increases the access control measures. However, under the environment of higher security requirements, the security measures need to be enhanced, and the security measures are particularly combined with domestic cryptographic algorithms.
NC-Link adapter: in order to realize the identity authentication of the adapter, firstly, the development of the adapter supporting domestic passwords for carrying out the identity authentication based on numerical control equipment (numerical control machine tools, robots, AGV trolleys and the like) based on a technical verification scene is researched and developed based on NC-Link standards. The NC-Link adapter is a bridge connecting the NC equipment with the NC-Link agent. The adapter is used for shielding the difference of different physical devices and interacting with the NC-Link agent by using grammar and semantics defined by the NC-Link standard. The NC-Link adapter mainly realizes three functional modules: a driver layer module adapted to various different types of devices requiring different driver modules; the adapter protocol stack module is used for completing the encapsulation and the decapsulation of the data, namely encapsulating the source data in various data formats into NC-Link protocol data units and sending the NC-Link protocol data units to the NC-Link agent; or analyzing NC-Link protocol data units issued by the NC-Link agent into a data format which can be identified by specific equipment, and transmitting the data format to the equipment by a driving module; and the communication module is used for completing the functions of equipment registration, equipment login, connection maintenance and data transmission and reception.
NC-Link agent: fig. 2 schematically illustrates an NC-Link agent according to an embodiment of the present disclosure, which mainly implements routing, forwarding, secure access of devices and applications, user authentication, authorization of NC-Link protocol data. The adapter uses legal identity connection proxy and uses equipment terminal identification to register. The client application software is connected to the agent by using legal identity, the NC-Link agent forwards data between the client application software and the agent, and completes identity verification and authorization, and meanwhile, the NC-Link agent cooperates with the agent to realize a data transmission safety function, as shown in figure 7.
Industrial network security gateway: fig. 3 schematically illustrates an industrial network security gateway based on a domestic password according to an embodiment of the present disclosure, and develops an industrial network security encryption gateway supporting a cloud platform based on the domestic password and IPv6 by adopting a communication encryption manner transparent to users for network transmission, so as to provide a high-performance VPN remote security interconnection service based on a domestic password algorithm for a digital control system network. Conventional IPsec typically uses two main sub-protocols, authentication Header (AH) and Encapsulating Security Payload (ESP). In the IPsec, the hash algorithm of the authentication head uses an SM3 algorithm, the key exchange protocol uses an SM2 algorithm and the data encryption uses an SM4 algorithm; the industrial network security gateway encrypts and decrypts the data interacted between the NC-Link agent and the NC-Link adapter and between the NC-Link agent and the application program.
Main body identification: in order to prevent an illegal terminal from accessing an NC-Link system of an interconnected communication network, the system needs to allocate a main body identifier for a main body (an adapter and an application program) accessed to the network. The main body identifier is a group of data for identifying the identity, and can be a network card MAC address, a 4G chip serial number and a device serial number; the corresponding application program can also be represented by the IP+user name+password of the device where the application program is located; or an industrial internet identifier (Ecode, OID, handle) or the like which is currently being implemented. The main body identification is generated and held by the terminal (adapter, application program), is uniformly managed by the agent, and has the functions of auditing, inquiring, logging off and the like based on the identification.
Fig. 1 schematically illustrates a flowchart of a method for secure interconnection of a numerical control device according to an embodiment of the present disclosure, as shown in fig. 1, the embodiment of the present disclosure provides a method for secure interconnection of a numerical control device, including: responding to the received operation request of the user, and carrying out identity authentication and authority authentication on an application program corresponding to the operation request and the NC-Link adapter by utilizing the NC-Link agent; the NC-Link adapters are in one-to-one correspondence with the numerical control equipment; the interaction between the NC-Link agent and the NC-Link adapter and the interaction between the NC-Link agent and the application program are carried out through an industrial network security gateway; and executing the operation request in response to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter.
Through the embodiment of the disclosure, a security trusted interconnection technology with an NC-Link protocol as a core is provided, a security enhancement mechanism is designed for an NC-Link adapter and an NC-Link agent, main stream security capabilities such as identity authentication, access control, transmission encryption and the like are realized, and finally, the security and trusted interconnection of an open numerical control system protocol are realized.
On the basis of the embodiment, the NC-Link agent stores a registered numerical control equipment list and a registered application program list; the registered numerical control equipment list at least comprises identity authentication information of numerical control equipment; the registered application program list at least comprises authority level information of the application; the NC-Link adapter stores authority level information of corresponding numerical control equipment and model files of the numerical control equipment.
According to the embodiment of the disclosure, aiming at the problem of the fusion of the NC-Link protocol and the attribute access control, the authority control of the uplink and downlink operation of the numerical control system is realized by embedding the identity and attribute certificate into the NC-Link agent.
Based on the above embodiment, the step of performing identity authentication and authority authentication on the application program corresponding to the operation request and the NC-Link adapter by using the NC-Link proxy device further includes: responding to the NC-Link adapter to register by using the main body identifier of the corresponding numerical control equipment, and storing the corresponding numerical control equipment into a registered numerical control equipment list; and in response to the registration of the application program by using the main body identifier of the equipment where the application program is located, storing the application program into a registered application program list.
In this embodiment, the identity of the adapter of the access system is authenticated prior to data exchange, and the terminal body identification of the adapter is stored in a numerical control equipment model, which is injected into the adapter by the security officer. After the adapter is connected with the NC-Link, an identity registration request is actively initiated, and the agent acquires the physical address and the product serial number information of the numerical control equipment to verify whether the numerical control equipment is legal or not by transmitting the numerical control equipment model to the agent. If the authority is legal, the agent communicates with the domestic password infrastructure to acquire the information such as the key and signature required, then returns authentication passing information (such as a token, a key and the like) and stores the authentication passing information in the agent, and when a system administrator performs authority allocation through the NC-Link security management platform, legal identity is obtained; otherwise, returning error information to complete the identity authentication of the NC-Link adapter. The adapter passing through the identity authentication can be connected into the NC-Link system and performs information interaction, and the adapter should have the capability of continuously proving the identity of the adapter to the agent in subsequent access, and the security of the transmission data should be protected by using the key generated by the process in subsequent interaction of the adapter and the agent. When the adapter is connected to the NC-Link system, the terminal main body identification is used for registration, namely the identity authentication information of the adapter is bound with the terminal main body identification.
In this embodiment, before application software or a data center accesses an NC-Link network layer to perform data interaction, a terminal body identifier that needs to use an application needs to be registered with an agent; before each data interaction, the application program makes an identity authentication request to the agent, after the agent receives the identity authentication request, the agent communicates with the domestic password infrastructure according to the stored application program identity information to acquire the application program identity authentication information, and after the application program passes the identity authentication, the application program can make data interaction with the NC-Link agent.
It should be noted that, the present disclosure adopts a bidirectional authentication manner to ensure the identity security of the agent during initialization, and provides confidentiality and integrity protection of communication while ensuring the identity reliability based on NC-Link digital control communication protocol of national security TLS. The security enhancement and adaptation technical route of the communication protocol of the numerical control system is shown in fig. 7.
Through the embodiment of the disclosure, the agent is in a core position, the safety of the agent is also important, and the identity of the application and the adapter need to be authenticated before the agent and the application interact with the adapter in order to ensure the safety of the agent.
Based on the above embodiment, performing identity authentication includes: in response to receiving the identity authentication information of the NC-Link adapter, carrying out identity authentication on the NC-Link adapter by using a registered numerical control equipment list; the identity authentication information comprises a physical address and a serial number of the numerical control equipment; the NC-Link adapter converts the data format uploaded by the numerical control equipment into a unified NC-Link data format and transmits the unified NC-Link data format to the NC-Link agent; in response to receiving the identity authentication information of the application, the application is authenticated using the registered application list.
In this embodiment, terminals accessing the NC-Link system are divided into two types, one type of numerical control equipment terminal including a numerical control machine tool, a robot, an AGV dolly, etc., and the other type of upper application software such as MES, ERP, quality control software, etc., and also including a data center. The NC equipment is connected with the NC-Link through an adapter, the adapter is a part of the NC system, and the adapter can be integrated inside the NC system or outside the NC system. The adapter is in one-to-one correspondence with the numerical control equipment, so that the adapter can be used for replacing the numerical control equipment to carry out identity recognition.
It should be noted that fig. 6 schematically illustrates an NC-Link authentication mode based on a domestic password according to an embodiment of the present disclosure; based on X.509 standard, dynamic policy configuration of attribute-based access control is utilized to break through the problem of unmatched life cycle of an identity certificate and an attribute certificate, so that the combination and binding of the identity certificate and the attribute certificate are realized, and the certificate storage and interaction times are simplified; and by combining with NC-Link protocol, the method realizes the on-line services of applying, auditing, issuing, publishing, logging off and the like for providing identity and attribute certificates for users, processes, equipment and other subjects, and realizes lightweight identity and attribute certificate services. Based on the trusted computing 3.0 TPCM and the trusted cryptography service, a multi-level key management mechanism in the certificate service is researched, the capabilities of key separation, master key derived encryption keys, encryption protection data keys, session keys and the like are realized, the life cycle protection of each level of keys is formed, and lightweight identity and attribute certificate service is realized.
According to the embodiment of the invention, identity authentication is carried out on the NC-Link adapter and the application program through the registered numerical control equipment list and the registered application program list stored in the NC-Link agent, so that the security of data interacted between the NC-Link agent and the NC-Link adapter as well as between the NC-Link agent and the application program is ensured, and only legal NC-Link terminals (bottom numerical control equipment and upper application systems) can access the NC-Link.
Fig. 5 schematically illustrates an NC-Link authentication process based on a domestic password according to an embodiment of the present disclosure, and as shown in fig. 5, performing authority authentication includes: responding to the operation request as an acquisition data request: transmitting the data to the NC-Link agent in response to the passing of the identity authentication of the NC-Link adapter uploading the data; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring authority level information of an application program receiving data; transmitting data stored by the NC-Link agent to the application program in response to the permission level of the corresponding numerical control equipment being lower than the permission level of the application program and the identity authentication of the application program passing; responding to the operation request as a control instruction request: transmitting a control instruction to the NC-Link agent in response to the passing of the identity authentication of the application program; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring authority level information of an application program receiving data; and transmitting the control instruction stored by the NC-Link agent to the NC-Link adapter in response to the permission level of the corresponding numerical control equipment being lower than the permission level of the application program and the identity authentication of the NC-Link adapter being passed.
In the embodiment, the NC-Link agent is used for exchanging data between the bottom numerical control equipment and the upper application program or the data center, so that the aim of data interaction of the numerical control equipment is fulfilled. From the NC-Link system, data is divided into two modes, uplink and downlink. The upstream data, also called acquisition data, typically includes operation data, attribute data of the numerical control equipment, and parameter data of registers (e.g., PLC). Such as shaft current, rotational speed, machine model, error information, tool information, etc. The downstream data generally refers to control data such as commands for stopping the machine tool suddenly. No matter which data needs to be accessed, only legal users can access the data. The access control of NC-Link data comprises access control of acquisition data and access control of control instructions.
The access control of the collected data is as follows: the data to be collected should be determined by the NC equipment terminal whether to transmit to the NC-Link system. After receiving the data transmitted by the numerical control equipment, the agent needs to carry out identity authentication on the numerical control equipment, and only receives the data transmitted by the numerical control equipment which passes the identity authentication. The application program adopts a subscription mode to acquire the data acquired by the agent, the agent needs to check the identity of the application program before transmitting the data to the application program, and only the registered application program can acquire the acquired data of the agent. The agent needs to check the security authority and legitimacy of the application program in the NC-Link security management platform, and the application program meeting the security authority and legitimacy check can obtain the subscribed data. For the application scene with high security level, a forced access control method is adopted, and access control is performed according to the security level of data and the security level of an application program.
Wherein, the access control of the control instruction is as follows: because the control instructions can control the numerical control equipment, stricter access control measures are required. The control instruction includes a characteristic field for data sensitivity. Which contains the identity information of the sender of the control instruction and the level of authority to operate the control instruction. If the adapter receives a control instruction whose feature field does not match the feature field in the adapter, the adapter discards the instruction. The control command not only adopts an autonomous access control strategy and a forced access control strategy, but also adopts a control strategy based on service content, and whether the control command can be executed or not needs to be specified in a model file of numerical control equipment. For example, if it is specified in the numerical control equipment model file that scram is not allowed, the adapter discards the command even if the access control rule matches the machine scram instruction. Whether or not the final control command is executed is determined by an actuator of the numerical control device.
According to the embodiment of the disclosure, the NC-Link agent is used for controlling the data exchange between the bottom-layer numerical control equipment and the upper-layer application program or the data center, so that the aim of data interaction of the numerical control equipment is achieved, and meanwhile, only legal users can acquire data and issue control instructions through the NC-Link; aiming at the problems of message routing and bridging of NC-Link agents, a distributed deployment scheme is provided, the parallel processing efficiency is improved, remote certification, trusted interoperation, caching, persistence and program self-safety of the NC-Link protocol agents under a trusted computing 3.0 framework are realized, and trusted network connection and active immunization of the agents are realized through customizing security policies.
On the basis of the above embodiment, the control instruction stored in the NC-Link agent is transmitted to the NC-Link adapter, and then further includes: detecting whether a control instruction accords with a model file of numerical control equipment in the NC-Link adapter; if yes, executing a control instruction; if not, discarding the control instruction.
In this embodiment, it is necessary to specify a control policy based on the service contents in a model file of the numerical control equipment and inject NC-Link adapters.
Through the embodiment of the disclosure, whether the control instruction can be safely executed or not is further judged through the NC-Link adapter, and the safety of numerical control equipment is ensured.
On the basis of the embodiment, an authentication head of the industrial network security gateway uses an SM3 algorithm, a key exchange protocol uses an SM2 algorithm, and data encryption uses an SM4 algorithm; the industrial network security gateway encrypts and decrypts the data interacted between the NC-Link agent and the NC-Link adapter and between the NC-Link agent and the application program.
Fig. 4 schematically illustrates a protection mode of an industrial network security gateway based on a domestic password according to an embodiment of the present disclosure, in order to solve the identity authentication and data transmission security problems of applications such as DNC, MDC, MES, ERP in an open numerical control system, research security proxy technologies of an application layer, a transmission layer and a network layer, and implement a VPN security gateway based on WEB applications, network ports and a virtual network card (L3 VPN) on the basis of a national cryptographic algorithm; the safety problem of various communication protocols (HTTP, FTP, NFS, CIFS) between the application of the numerical control system and the numerical control machine tool and background service is researched, and detection, early warning and blocking of various network intrusion are provided; aiming at the network isolation and unidirectional transmission control problem of data based on VPN gateway, the strict access control to the sensitive area of the numerical control system is realized; and the fusion technology of the NC-Link security gateway and the trusted computing 3.0 trusted network is realized, and finally, a reliable network protection boundary with a VPN encryption function is formed.
It should be noted that, the functions of the industrial network security gateway at least further include: the network data packet forwarding high-performance processing package provides support for driving and function library for high-speed processing of the message; the industrial network security gateway comprehensively supports IPv6, improves related modules such as an IPSec IKE module, an encryption module, a WebUI and the like of the industrial network security gateway so as to be capable of perfect compatibility with configuration, negotiation and communication under IPv6, intercepts all data flows entering and exiting an IP layer by adopting an encapsulation/substitution idea and applies IPSec processing, thereby realizing the comprehensive support of IPv 6; the cloud platform deployment is comprehensively supported; the system comprises an SSL network communication service module, a client program module, an identity authentication module, an access control module, a user and policy database and a log module.
According to the embodiment of the disclosure, the industrial network security gateway is modified by following the national security standard, the existing network security gateway is comprehensively modified and reinforced according to the IPSec VPN technical standard and the IPSec VPN product standard specified by the national bureau of medicine, and the requirements of market user usability and compatibility are combined to expand, so that the gateway also has adaptability and expandability to the user network environment and complex requirements on the premise of having high-strength encryption algorithms SM2, SM3 and SM4 and a high-security system architecture.
It should be noted that, the present disclosure needs to implement a fusion technique of a domestic password and NC-Link under a higher security requirement environment, and at least has one of the following advantages:
(1) The fusion of the domestic password and the NC-Link is realized, and the NC-Link secure interconnection method based on the domestic password is provided, which comprises the following steps: an industrial network security gateway based on domestic passwords; NC-Link terminal identity authentication based on domestic password; NC-Link access control technique; the agent safety protection ensures the data interaction safety from the whole links of data adaptation conversion, transmission, access control and the like, and breaks through the innovation of combining a numerical control system with a domestic password.
(2) Based on NC-Link protocol adapting heterogeneous communication protocol (MTConnect, OPC UA, umati, etc.), the integration openness and flexibility of the production line are ensured, and simultaneously, the NC network can be accessed in a safe and reliable mode, so as to form a safe and reliable interconnection interoperation method of the NC system with the mixed brand and foreign type, and the uploading/downloading process file, the processing code, etc. are transmitted in data ciphertext.
(3) Under the 3.0 framework of trusted computing, an identity certificate and an attribute certificate are combined into a whole, a lightweight identity & attribute certificate service system is constructed, application, audit, issuing and destruction of certificates are realized by combining with an NC-Link protocol, optimization and security of various network protocols such as mutual access among devices, access of users to the devices, access of the users to application programs and the like are realized, the attributes of the users/devices are obtained through the identities of the users/devices, fine-granularity access control is implemented according to an attribute access control strategy, and security problems such as unauthorized access, transverse control and the like are avoided. Providing a single sign-on function for a numerical control system with a plurality of applications to avoid repeated authentication, and authenticating the whole network access once in an open network environment; the security and the reliability of the NC-Link agent node are ensured through the fusion design of the trusted control module, the password service module and the NC-Link agent.
(4) NC-Link numerical control communication protocol based on national cipher TLS, which provides confidentiality and integrity protection of communication while guaranteeing the credibility of identity; the authority control of the uplink and downlink operation of the numerical control system is realized by embedding the identity and attribute certificate into the NC-Link, and the problem of the fusion of NC-Link protocol and attribute access control is solved.
(5) Aiming at the problems of message routing and bridging of NC-Link agents, a distributed deployment scheme is provided, the parallel processing efficiency is improved, remote certification, trusted interoperation, caching, persistence and program self-safety of NC-Link protocol agents under a trusted computing 3.0 framework are realized, and trusted network connection and active immunity of agents are realized.
Based on the numerical control equipment safety interconnection method, the disclosure further provides a numerical control equipment safety interconnection device configured to be used for realizing the numerical control equipment safety interconnection method. The device will be described in detail below in connection with fig. 8.
Fig. 8 schematically illustrates a block diagram of a numerical control equipment safety interconnect device 800 according to an embodiment of the present disclosure.
As shown in fig. 8, the numerical control equipment safety interconnection device 800 of this embodiment includes an interconnection module 801 and an execution module 802 configured to enable the above-described numerical control equipment safety interconnection method.
The interconnection module 801 is configured to perform identity authentication and authority authentication on an application program and an NC-Link adapter corresponding to an operation request by using an NC-Link agent in response to receiving the operation request of a user; wherein, NC-Link adapter corresponds to numerical control equipment one by one; interaction between the NC-Link agent and the NC-Link adapter is performed through an industrial network security gateway.
And the executing module 802 is configured to execute the operation request in response to the identity authentication and the authority authentication of the application program and the NC-Link adapter passing.
Fig. 9 schematically illustrates a numerical control equipment industrial interconnection safety system according to an embodiment of the present disclosure.
The large data requirements of intelligent manufacturing require that the intelligent factory, intelligent production line, and numerical control equipment of the intelligent processing unit require interconnection and data exchange. Numerical control equipment interconnection is divided into two layers: the intelligent processing units or numerical control equipment inside the intelligent production line are interconnected; the numerical control equipment of the intelligent processing unit or the intelligent production line exchanges data with other processing units, cloud data centers, application systems (e.g., MES, ERP) and the like. The diversification of the bottom numerical control equipment leads to the need of unified interconnection standards when the numerical control equipment is interconnected. The method and the device adopt NC-Link based on NC-Industrial interconnection communication protocol for interconnection of numerical control equipment.
As shown in fig. 9, the present disclosure realizes an NC-Link security system based on a domestic cryptographic infrastructure, and mainly includes functions of user and group setting, numerical control equipment management, authority rule setting, information query, and the like. The security function is supported by using a basic security module provided by a domestic password infrastructure, the security of an application system is processed according to the traditional security requirement, and an NC-Link system consists of an adapter and an agent which are connected with numerical control equipment. Each numerical control device is provided with an adapter, the adapter stores a device model describing the numerical control device (a numerical control machine tool, a robot and the like) connected with the adapter, and the adapter collects operation data or parameter data of the numerical control device to an agent and then transmits the operation data or parameter data to a data center or an application program from the agent; the control instruction issuing process is reversed.
(1) In order to ensure the safety of the transmission of the collected data or control instructions, an industrial network security gateway is added between the adapter and the agent, the agent and the application program, and the communication encryption is carried out by adopting hardware or software.
(2) And (5) carrying out identity authentication when the NC equipment or the application system is accessed to the NC-Link. Because the numerical control equipment is connected with the agent through the adapter, the main body identification of the numerical control equipment is stored in the equipment model on the adapter, and the adapter replaces the numerical control equipment to carry out identity authentication.
(3) Based on the practicality of industrial production, considering that different numerical control equipment on an intelligent factory or production line has different security levels, the security level division is carried out on the equipment, meanwhile, the security level division is also carried out on an application program, and the forced security level matching and role-based authority are combined to carry out access control. The issued control command is critical to production safety, and in addition to the access control rule, the authority and the switch of the command are set in the equipment model file at the same time, namely, the access control is performed in combination with the business rule. The data stored on the agent is ensured to be safe by adopting distributed storage and access control, and the consistency of the data is ensured by adopting digital signature.
(4) The security of the agent is ensured.
The present disclosure also provides an electronic device according to an embodiment of the present disclosure, which includes a processor that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage section into a Random Access Memory (RAM). The processor may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor may also include on-board memory for caching purposes. The processor may comprise a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM, various programs and data required for the operation of the electronic device are stored. The processor, ROM and RAM are connected to each other by a bus. The processor performs various operations of the method flow according to embodiments of the present disclosure by executing programs in ROM and/or RAM. It should be noted that the program may also be stored in one or more memories other than ROM and RAM. The processor may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, the electronic device may further include an input/output (I/O) interface, which is also connected to the bus. The electronic device may also include one or more of the following components connected to the I/O interface: an input section including a keyboard, a mouse, etc.; an output section including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc.; a storage section including a hard disk or the like; and a communication section including a network interface card such as a LAN card, a modem, and the like. The communication section performs communication processing via a network such as the internet. The drives are also connected to the I/O interfaces as needed. Removable media such as magnetic disks, optical disks, magneto-optical disks, semiconductor memories, and the like are mounted on the drive as needed so that a computer program read therefrom is mounted into the storage section as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. The numerical control equipment safety interconnection method is characterized by comprising the following steps of:
responding to a received operation request of a user, and carrying out identity authentication and authority authentication on an application program corresponding to the operation request and an NC-Link adapter by utilizing an NC-Link agent; wherein, NC-Link adapter corresponds to numerical control equipment one by one; the interaction between the NC-Link agent and the NC-Link adapter and the interaction between the NC-Link agent and the application program are performed through an industrial network security gateway;
And executing the operation request in response to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter.
2. The method of claim 1, wherein the NC-Link agent stores a registered numerical control equipment list and a registered application list; wherein the registered numerical control equipment list at least comprises identity authentication information of the numerical control equipment; the registered application program list at least comprises authority level information of the application;
and the NC-Link adapter stores the authority level information of the corresponding numerical control equipment and the model file of the numerical control equipment.
3. The method of claim 2, wherein the authenticating the identity and the authority of the application program and the NC-Link adapter corresponding to the operation request by using the NC-Link agent further comprises:
responding to the NC-Link adapter to register by using the main body identifier of the corresponding numerical control equipment, and storing the corresponding numerical control equipment into the registered numerical control equipment list;
and responding to the application program to register by using the main body identifier of the equipment where the application program is located, and storing the application program into the registered application program list.
4. The method of claim 2, wherein performing the identity authentication comprises:
in response to receiving the identity authentication information of the NC-Link adapter, carrying out identity authentication on the NC-Link adapter by utilizing the registered numerical control equipment list; the identity authentication information comprises a physical address and a serial number of the numerical control equipment; the NC-Link adapter converts the data format uploaded by the numerical control equipment into a unified NC-Link data format and transmits the unified NC-Link data format to the NC-Link agent;
and in response to receiving the identity authentication information of the application program, authenticating the application program by using the registered application program list.
5. The method of claim 2, wherein performing the rights authentication comprises:
responding to the operation request as an acquisition data request: transmitting the data to the NC-Link agent in response to the passing of the identity authentication of the NC-Link adapter uploading the data; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring the authority level information of the application program of the received data; transmitting data stored by the NC-Link agent to the application program in response to the permission level of the corresponding numerical control equipment being lower than the permission level of the application program and the identity authentication of the application program being passed;
Responding to the operation request as a control instruction request: transmitting a control instruction to the NC-Link agent in response to the passing of the identity authentication of the application program; acquiring authority level information of numerical control equipment corresponding to the NC-Link adapter, and acquiring the authority level information of the application program of the received data; and transmitting the control instruction stored by the NC-Link agent to the NC-Link adapter in response to that the authority level of the corresponding numerical control equipment is lower than that of the application program and the identity authentication of the NC-Link adapter is passed.
6. The method of claim 5, wherein the transmitting the NC-Link agent stored control instructions to the NC-Link adapter further comprises:
detecting whether the control instruction accords with a model file of numerical control equipment in the NC-Link adapter;
if yes, executing the control instruction;
if not, discarding the control instruction.
7. The method of claim 5, wherein the authentication header of the industrial network security gateway uses an SM3 algorithm, the key exchange protocol uses an SM2 algorithm, and the data encryption uses an SM4 algorithm; and the industrial network security gateway encrypts and decrypts the data interacted between the NC-Link agent and the NC-Link adapter and between the NC-Link agent and the application program.
8. A numerical control equipment safety interconnection device configured to be used to implement the numerical control equipment safety interconnection method of any one of claims 1 to 7, comprising:
the interconnection module is used for responding to the received operation request of a user and carrying out identity authentication and authority authentication on an application program corresponding to the operation request and the NC-Link adapter by utilizing the NC-Link agent; wherein, NC-Link adapter corresponds to numerical control equipment one by one; interaction between the NC-Link agent and the NC-Link adapter is performed through an industrial network security gateway;
and the execution module is used for responding to the passing of the identity authentication and the authority authentication of the application program and the NC-Link adapter and executing the operation request.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311602478.7A CN117728990A (en) | 2023-11-28 | 2023-11-28 | Numerical control equipment safety interconnection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311602478.7A CN117728990A (en) | 2023-11-28 | 2023-11-28 | Numerical control equipment safety interconnection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117728990A true CN117728990A (en) | 2024-03-19 |
Family
ID=90200726
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311602478.7A Pending CN117728990A (en) | 2023-11-28 | 2023-11-28 | Numerical control equipment safety interconnection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117728990A (en) |
-
2023
- 2023-11-28 CN CN202311602478.7A patent/CN117728990A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| US8959334B2 (en) | Secure network architecture | |
| US10484357B1 (en) | Method and apparatus for federated single sign on using authentication broker | |
| US11209803B2 (en) | Firewall system and method for establishing secured communications connections to an industrial automation system | |
| US20040153171A1 (en) | System and methodology providing automation security architecture in an industrial controller environment | |
| CN111770092B (en) | Numerical control system network security architecture and secure communication method and system | |
| WO2009032097A1 (en) | Highly scalable architecture for application network appliances | |
| US11362827B2 (en) | IOT security mechanisms for industrial applications | |
| US11985113B2 (en) | Computing system operational methods and apparatus | |
| CN116055254A (en) | Safe and trusted gateway system, control method, medium, equipment and terminal | |
| WO2014105914A1 (en) | Security enclave device to extend a virtual secure processing environment to a client device | |
| CN103401885A (en) | Network file authorization control method, device and system | |
| WO2023279782A1 (en) | Access control method, access control system and related device | |
| KR101839048B1 (en) | End-to-End Security Platform of Internet of Things | |
| CN116633576A (en) | Safe and reliable NC-Link agent, control method, equipment and terminal | |
| US20220182229A1 (en) | Protected protocol for industrial control systems that fits large organizations | |
| CN117728990A (en) | Numerical control equipment safety interconnection method | |
| JP2009508213A (en) | Providing consistent application-compatible firewall traversal | |
| Luo et al. | Routing and security mechanisms design for automotive tsn/can fd security gateway | |
| EP2095598B1 (en) | Secure network architecture | |
| CN111628960A (en) | System and method for network management | |
| EP1976219A1 (en) | Secure network architecture | |
| US20230328045A1 (en) | Secure shell and role isolation for multi-tenant compute | |
| Vaglica et al. | A JRC FIWARE Testbed for SMART Building and Infrastructures | |
| EP4323898A1 (en) | Computer-implemented methods and systems for establishing and/or controlling network connectivity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |